ITAudit   
Vol. 10, December 10, 2007

To Vista or Not to Vista?

Switching to Windows Vista is a decision that needs to be made carefully. Looking at the risks associated with Microsoft's latest operating system can help organizations make a decision that fits their strategic IT goals.

Joe Dysart
Freelance Writer

Nearly a year after the release of Windows Vista — the latest generation of Windows operating systems — most organizations worldwide are still cautiously evaluating the product, fearing the upgrade could represent a headache. "I gave Vista a chance — I just can't use it as my primary OS [operating system] anymore," says Chris Pirillo, a high-profile technology blogger in the United States whose rants about Vista are all too common. "The shipping version of this OS is late beta, at best."

Jeffery Web, CIO at the Southwest Virginia Higher Education Center, could not disagree more. "I'd say that we'll experience a 10- to 15-percent boost in user productivity from a combination of better security, faster search, and the more attractive interface," says Web, who began migrating to Vista in February 2007.

As part of their work, internal auditors need to stay ahead of the curve by learning about the latest IT products and trends that can enhance an organization's strategic goals and objectives. Because operating systems are an invaluable part of a company's IT infrastructure, it is essential for auditors to understand the risks and advantages posed by moving to a new operating system, such as Vista. Doing this will help auditors provide recommendations that can add value to company services, while staying in line with current and future IT goals and objectives.

RISK FACTORS TO CONSIDER

Part of the reason the IT industry is split over Vista is that depending on the hardware and software a company uses, an upgrade can be either an easy or slow, complicated process. Vista works exceedingly well with many Microsoft legacy products, including pre-Vista versions of Excel, Word, PowerPoint, and FrontPage, according to the company. But with other software, a Vista upgrade might be a risky venture. Pirillo, for example, found that after installing the initial version of Vista, his scanner, fax software, and desktop search software did not work with the new operating system. In addition, he noticed that Vista significantly slowed down his PC, a common complaint against the new operating system.

Consequently, it is no wonder that the September 2007 figures from market research group Net Applications show Vista's market penetration at 7.38 percent. Indeed, the backlash against Vista has grown so intense, PC vendor Dell has gone back to selling some select desktops and notebooks installed with Windows XP or XP Pro, according to Lionel Menchaca, Dell's digital media manager. Still, even with the lukewarm reception, many companies still grapple with a nagging concern: Should we continue to hold out against Vista or is staying with XP too risky?

To help IT managers get a handle on whether Vista is right for their company, internal auditors can recommend that they use some of the online tools offered by Microsoft and other vendors. These tools enable users to determine how existing hardware and software will perform once an upgrade to Vista takes place. Depending on the number of employees, auditors can recommend that IT departments use the Windows Vista Upgrade Advisor, which will analyze the hardware in a PC and determine if the user has enough power to run the new operating system in the machine. Furthermore, IT administrators can use Microsoft's Application Compatibility Toolkit 5.0, which pinpoints the applications that will work on Vista and which do not. Another option, the Windows Vista Hardware Assessment 2.1, analyzes Vista's compatibility for computers and hardware operating on a network. Finally, for a more independent analysis of software that works or doesn't work on Vista, auditors can recommend that IT managers useIeXbeta, a Web site maintained by a virtual community of Vista watchers and application experts from around the world.

"This compatibility issue should figure prominently in your audit, because depending on your applications, it can be a real show stopper," says Randy Franklin Smith, chief executive officer of Ultimate Windows Security.com, an organization that provides security information on the different Microsoft operating systems, IT auditing, and compliance. "We have some clients for whom all of their applications have Vista upgrades available and other clients who can't look at Vista anytime soon because of compatibility."

In terms of hardware, Smith advises organizations to research thoroughly. According to Smith, companies that are thinking about switching to Vista might need to consider buying new systems for two reasons: performance and driver-related issues. "[Hard] drive speed seems to be much more of a performance issue for Vista than XP," he explains. "The drivers, especially for notebooks, just aren't there or are of very bad quality." Another major risk factor to consider is the training needed for staff to get up-to-speed with Vista. For instance, "the names and locations of tools and dialogs were changed [in Vista], which created more support calls than would seem necessary," says Smith.

Of course, forgoing an upgrade also has its risks, mostly rooted in security. Microsoft has invested heavily to enhance Vista's security features, and even its toughest critics admit the claim is partially true. "The single biggest motivator for moving to Vista is BitLocker — Windows first native full-drive encryption feature," comments Smith. "It really works, and it's the only new security feature in Vista I'm excited about and the only reason I recommend migrating." Rob Enderle, principal analyst with the Enderle Group, an organization that consults clients on the latest IT trends and events, agrees: "This is likely the strongest benefit to the new platform, in that a wide cross-section of existing viruses will not run on it." He also likes Vista's user-authorization safeguards.

In terms of their work, internal auditors can use these risks as a baseline when determining whether Vista should be part of their operating system arsenal, as Steve Mar, an IT audit consultant with Resources Global, a multinational professional services firm, explains: "Some internal auditors may decide to follow the chief information officer (CIO) or IT department when deciding whether to migrate their current operating system to Vista. However, the auditor might discover that existing audit applications do not run well on Vista or are not compatible with the new operating system, which could create challenges when delivering high-quality audit projects. Hence, it is especially important for auditors to consider what would happen if the CIO decides, or not, to deploy Vista and the impact this decision could have on the auditor's software toolset."   

THE LINUX ALTERNATIVE

If upgrading to Vista or continuing to use the existing operating system is not an option, the CIO or head of IT might recommend that the organization switch to Linux, an open source operating system that is voluntarily maintained by IT experts around the world and which often does not suffer the kind of problems Windows does with each upgrade.

"It's a huge bargain," says Kevin McDonald, assistant director of application hosting at Vanderbilt University.  "We felt we had everything to gain and very little to lose."

Because Linux is owned by no one and can be easily improved upon by everyone, IT managers and internal auditors alike might find the idea of using a Linux operating system a good one. In fact, as Caroline Kazmierski, a corporate communications specialist for Linux service maintenance company Red Hat, explains, the advantages of Linux are more than just changing the code. "You can see the code, change it, and learn from it. Bugs are more quickly found and fixed. And when customers don't like how one vendor is serving them, they can choose another without overhauling their infrastructure."

Still, getting from here to there can be painful. Migrating to a completely new operating system means proprietary software will need to be rewritten, off-the-shelf software will often have to be replaced, and staff will need to be retrained. As a result, many companies decide to keep using their current operating system, even after doing a full cost-benefit analysis. However, for those organizations that make the jump to Linux, the rewards can be substantial.

Vanderbilt's McDonald is one of the IT administrators who decided to take this jump. Historically an HP-UX and HP3000 shop, Vanderbilt's MIS department relied heavily on Unix and Oracle for its computing environment. Beginning in 2002, however, it became evident that their HP-UX systems were reaching the "end-of-life" in terms of maintenance and performance. The university's needs for data storage alone were increasing by approximately 1,000 percent each year and the HP mainframe environment wasn't keeping pace, according to McDonald. In weighing the options, it was important that any new solution be compatible with the Oracle environment, which had become a core competency of the MIS team.

As a result, Vanderbilt asked HP for pricing on two potential solutions to replace their current infrastructure: a newer HP-UX solution and an equivalent 32-bit platform. The comparison turned out to be staggering — the proposal for an Intel and Linux solution came in at more than 60 percent less. These days, the institution's finance and human resource applications, as well as a number of other applications, all run on Linux. "Looking back, it was a pretty simple task for our experienced Unix administrators," McDonald says.

"Keep an open mind," adds Richard Ray, a systems analyst at Wake Forest University, who also made the switch to Linux. "The perception that open source is not supported, not ready for mission-critical applications is not accurate. The community model is much better. Open source has so many eyes looking at it that it is pretty solid. It just grows and evolves over time."

If making the switch to Linux is in the works, internal auditors need to warn senior managers of the risks posed by the use of open source operating systems. "Moving from Windows to Linux can be likened to the choice between business application environments: Which is more appropriate for the organization's needs, a large-scale integrated environment such as SAP or Peoplesoft, a.k.a. the Windows side, or a best-of-breed mix and match approach, a.k.a. the Linux side?" comments Nelson Gibbs, senior manager with Deloitte & Touche LLP's Audit and Enterprise Risk Services division.

According to Gibbs, senior managers also need to keep in mind different operational support and development concerns that depend heavily on the version of Linux being deployed. Options range from fully supported enterprise-level environments from vendors such as IBM and Red Hat to deployments based entirely on code modified and compiled by the IT department without external support available. "With Vista, companies transfer most of the risks and costs associated with operating system software development and maintenance to Microsoft. However, with Linux, companies may be absorbing most of those risks and costs," he explains.

SCO v. IBM

The largest legal battle concerning Linux to date is the US $5 billion SCO v. IBM trade secrets case, in which SCO Group alleged IBM contributed SCO property to the Linux kernel. During the course of the case, SCO notified Fortune 1000 and Global 500 companies of their possible liability if they continued to use Linux without paying licensing fees to SCO, and then proceeded to file lawsuits against Novell, DaimlerChrysler, and AutoZone. However, in August 2007, a judge ruled in favor of IBM finding that Novell and not SCO owns the copyrights to Unix. SCO then filed for Chapter 11 bankruptcy a month later.  

In addition, senior managers need to consider the current legal landscape with respect to Linux. As Gibbs describes, "there are still licensing, intellectual property, and other legal matters before several courts that have yet to be decided, which may impact an organization's decision to switch over to Linux, although most of the broad cases to date have been decided in favor of the Linux community."

Furthermore, there are strategic risks to consider, especially alignment with organizational goals and core competencies. "The switch to Linux might necessitate a change in the organization's staffing model, IT department skill sets, and an increased capital commitment to the IT budget, especially if the decision is made to become self-supporting," Gibbs continues. "The organization also might need to establish and develop new relationships with a different set of software vendors if pursuing an externally supported Linux environment."

AUDIT CONSIDERATIONS

Internal auditors need to consider Vista implementation from two perspectives: as part of the organization's overall risk assessment plan and as part of their audit universe (i.e., the auditor's toolkit), explains Mar. For instance, what risks could the use of Vista introduce to the organization that did not previously exist? Will the audit department deploy Vista as an operating system to perform audit projects? And if so, how will future audit projects be impacted by this change? Answers to these questions, Mar points out, will depend on the IT department's or CIO's strategic direction.   

"For the internal auditor, the decision to deploy Vista will probably depend on the CIO or IT department's strategy," says Mar. "Because the CIO may decide to deploy, postpone, or not use Vista, the internal auditor should consider the risks and impact of each option." Additionally, the auditor should contact the organization's software vendor and inquiry about the vendor's future plans to become Vista compatible. According to Mar, if the auditor uses in-house supported tools, the question should be asked of the CIO or IT department regarding the organization's level of support and compatibility. Other questions auditors should ask when deciding whether to deploy Vista include:

  • Is the auditor in a position to advise the IT department or CIO on deploying Vista?  
  • Should the auditor assess the risks of switching over to Vista and determine if it should be part of the audit universe? 
  • What has been the organization's risk history when a new operating system is deployed? 
  • What might be the impact to the organization if Vista is deployed?  
  • What should the auditor do if Vista is deployed and it impacts negatively the audit software portfolio? 
  • How can the auditor become comfortable about Vista prior to its deployment? 
  • Will deploying Vista impact how the auditor works with external parties or external auditors?  

MOVING FORWARD

As the move to Vista continues around the world, internal auditors need to recommend that senior managers carefully study their situation and weigh all their options. Only then can a decision be made that best meets the organization's current and future IT needs without causing major disruptions in work productivity. As Mar concludes, "Whether the organization will switch over to Vista or use a different operating system such as Linux, the roll-out approach should be the same and be as seamless a process as possible."

Joe Dysart is a journalist with 20 years' experience. Dysart's articles have appeared in more than 40 publications, including The New York Times and The Financial Times of London. Currently, he's a technology columnist for five vertical market industry publications, and a contributing IT editor as well.  

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

 

Keeping It Simple — An Overview of Data Privacy Compliance Requirements  

Auditors can keep organizations from becoming the next big scandal by pointing out common compliance requirements for different data privacy laws and regulations.

David Campbell
Director of Information Security and Business Continuity Planning, AccessData

If an organization creates, processes, or stores personal information, most if not all data breaches will result in some type of mandatory public disclosure, which can be devastating to the business. In particular, a data privacy breach may lead to loss of customer support, regulatory investigations, and substantial fines. What's more, in many jurisdictions class action lawsuits are becoming the norm for data breaches involving significant numbers of affected individuals.

Given the number and complexity of privacy laws and regulations worldwide, and the severe penalties for violating them, every organization should strive to prevent the improper disclosure or use of personal customer or employee information. However, understanding the compliance requirements of each applicable law can be daunting. To make this task a little easier, internal auditors can help organizations reduce this learning curve by pointing out common compliance areas that overlap different data privacy laws and regulations. This, in turn, will help the organization chose and implement a compliance program that effectively mitigates internal and external security threats and stays up-to-date with the latest regulatory changes.

THE LAWS

List of Countries With Privacy
Protection Laws

The privacy protection movement has spread worldwide. Here is a partial list of the countries that have established privacy protection as a national government function:

European Union

Austria

Italy

Belgium

Latvia

Bulgaria

Lithuania

Cyprus

Luxemburg

Czech Republic

Malta

Denmark

Spain

Estonia

Poland

Finland

Portugal

France

Romania

Germany

Slovenia

Greece

Sweden

Hungary

The Netherlands

Ireland

United Kingdom


Other Countries

Australia

Korea

Canada

Liechtenstein

Croatia

Macedonia

Dubai

New Zealand

Guernsey

Norway

Hong Kong

Switzerland

Iceland

Taiwan

Isle of Man

Thailand

Israel

Tunisia

Japan

United States

Jersey

 

Establishing an effective data security and privacy compliance program takes time, especially when the organization has to comply with several regulations, some of which may span country boundaries. Part of the task entails learning as much as possible about the different requirements the organization must comply with. Below is a summary of the main laws and regulations companies worldwide could encounter during their day-to-day operations. These include: state-level privacy breach disclosure laws in the United States, the U.S. Gramm-Leach-Bliley Act (GLBA), the U.S. Health Insurance Portability and Accountability Act (HIPAA), Australia's Privacy Law, Canada's Privacy Laws, the European Union (EU) Directive on Data Protection of 1995, the Organization for Economic Cooperation and Development (OECD) Guidelines, and the Payment Card Industry Data Security Standard (PCI DSS).

State-level Privacy Breach Disclosure Laws in the United States

To date, more than 35 U.S. states have adopted security breach disclosure laws. While the details of each law vary slightly from place to place, most of them follow a fairly consistent pattern. First, they offer a definition of the personal information that they apply to. For instance, most state privacy laws offer similar or even identical definitions of personal information. Here is an example from California's Senate Bill 1386 (SB-1386), which was the first state security breach disclosure law to be enacted: 

'For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

  1. Social security number.
  2. Driver's license number or California Identification Card number.
  3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial  account.

For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Besides personal information, state laws identify what constitutes a reportable security breach and when an acceptable notification of the breach should take place. A reportable security breach is usually defined as the unauthorized acquisition of digital data that compromises the security, confidentiality, or integrity of the stolen personal information, while an acceptable notification of the breach should take place only when personal information was or is believed to have been acquired by an unauthorized person. For instance, most state laws require an organization that owns or licenses data to directly notify the persons whose data was disclosed. Organizations that do not own or license the disclosed information must also notify the owner or licensor of the data. In cases like these, disclosure of the breach must be made promptly, unless law enforcement requests that the notification be delayed.

Finally, many state privacy laws allow for affected consumers to sue for damages, and some even allow for treble damages. Treble damage provisions typically apply to anyone who has been harmed (e.g., an identity theft victim) as a result of a security breach. Some states offer very limited restrictions on this ability but, in general, if a treble damage provision exists, it applies to any resident of that state who has been harmed by a security breach as defined by the state's privacy law.

GLBA

This act made many changes to the way financial services firms are organized and regulated. The act also contains language that protects the privacy of an individual's personal information by requiring financial institutions to define their privacy practices, create a privacy notice that explains those practices, and distribute the privacy notice on a yearly basis to customers (i.e., someone who has a long-term or ongoing relationship with a financial institution).

In addition, GLBA requires financial institutions to provide copies of their privacy notice to consumers (i.e., someone who use the organization's services, but does not have an ongoing relationship with the financial institution) if the institution shares data with unaffiliated companies. Note that this provision does not apply if the data sharing is done to provide essential services (e.g., account servicing), is legally required, or is used to market an organization's products and services.

GLBA also gives individuals the right to opt out of certain data sharing arrangements that the financial organization may have established. For example, an individual may be allowed to limit or block the transfer of his or her information to non-affiliated companies for telemarketing, direct mail marketing, or e-mail marketing activities related to the non-affiliated company's products or services. However, a financial institution can still send data to an unaffiliated company that is performing a service on behalf of the financial institution, and the individual can't opt out. 

When complying with GLBA, it is important to understand that financial institution is defined broadly; even if an organization is not a bank, it may have to comply with GLBA. This is important to note because certain GLBA provisions require financial institutions to implement safeguards that:

  1. Ensure the security and confidentiality of customer records and information.
  2. Protect against any anticipated threats or hazards to the confidentiality or integrity of customer information.
  3. Protect against unauthorized access to or use of customer records or information, which could result in substantial harm or inconvenience to any customer.

GLBA, however, does not go into much detail about the specific technical, managerial, or operational safeguards that must be implemented. This task is left to the eight federal and state agencies that are empowered to enforce the provisions of GLBA: the U.S. Federal Trade Commission, the Office of the Comptroller of the Currency, the U.S. Federal Reserve Board, the Board of Directors of the Federal Deposit Insurance Corporation, the Director of the Office of Thrift Supervision, the Administrator of the National Credit Union Administration, the U.S. Securities Exchange Commission, and state insurance regulators.

HIPAA

HIPAA affects many aspects of health care, including the privacy and security of private health information. The act's requirements apply to a covered entity, which is defined as an organization that is any of the following: a health plan, a health-care clearinghouse, or a health-care provider who transmits health information in electronic form in connection with a defined list of transactions. According to the act, covered entities must do the following:

  1. Ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity creates, receives, maintains, or transmits.
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  3. Protect against any reasonably anticipated uses or disclosures of such information.
  4. Ensure compliance with these requirements by its workforce.

HIPAA defines 42 security measures, referred to as implementation specifications, which may be required or optional for implementation. Required specifications include: the creation of a security management process, a risk analysis, enforcement of security policies, data backups, and implementation of a disaster recovery plan that specifies how to recover and restore lost data, among others. (For more information about HIPAA, read "Enhancing HIPAA Security Rule Compliance Efforts" published in ITAudit’s Aug. 10, 2006 issue.)

Australia's Privacy Law

The Australian Federal Privacy Act defines 11 Information Privacy Principles that apply to government agencies (read "Information Privacy Principles" sidebar for more information) and 10 National Privacy Principles (i.e., collection, use and disclosure, data quality, data security, openness, access and correction, identifiers, anonymity, transborder data flows, and sensitive information) that apply to private organizations and health services providers.

Information Privacy Principles

The 11 Information Privacy Principles included in the Australian Federal Privacy Act discuss the following:

  1. Manner and purpose of personal information collection.
  2. Solicitation of personal information from concerned individuals.
  3. Solicitation of personal information generally.
  4. Storage and security of personal information.
  5. Information relating to records kept by record keepers.
  6. Access to records containing personal information.
  7. Alteration of records containing personal information.
  8. Accuracy checks of personal information before its use. 
  9. Use of personal information (i.e., for relevant purposes only).
  10. Limits on personal information use.
  11. Limits on disclosure of personal information.

Australia's privacy principles were modeled after the Organization for Economic Cooperation and Development Guidelines.

According to the act, collected information must be used for a lawful purpose only. Individuals must be informed of the purpose for which the information is being collected, whether the collection is mandated or authorized by law, as well as of any other persons or organizations their information is usually shared with. Furthermore, record keepers must ensure that information is current and complete, establish safeguards to prevent the unauthorized disclosure of collected information, and attempt to ensure that other persons or organizations that receive the information do the same, among other activities.

Canada's Privacy Laws

Canada has a privacy law for the government sector and another for the private sector. The Privacy Act applies to the government sector, while the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the private sector. Because Canada is also a member of the OECD, both of these laws adhere to OECD guidelines.

In essence, the Privacy Act states that no personal information can be collected by a government organization unless it relates directly to an operating program or activity of the same institution. The organization, therefore, should only collect personal information that is intended to be used for an administrative purpose concerning the individual to whom it relates, except where the individual authorizes otherwise. In addition, government organizations need to take all reasonable steps to ensure that personal information that is used for an administrative purpose is as accurate, up-to-date, and complete as possible. Furthermore, the organization needs to dispose of the personal information in accordance with the regulations and any directives or guidelines issued by the designated minister in relation to the disposal of that information.

On the other hand, the PIPEDA references the Model Code for the Protection of Personal Information, a set of guidelines that also follow the OECD guidelines. According to this act, any organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate under the circumstances. In addition, an organization may, without the knowledge or consent of the individual, use personal information only if:

  • The organization becomes aware of information that could be useful in the investigation of a contravention of the laws of Canada.
  • The information is used during an emergency that threatens the life, health, or security of an individual.
  • The data is used for statistical, research, or scholarly study purposes that cannot be achieved without using the information.
  • The information is publicly available.

EU Directive on Data Protection of 1995

In the EU, the most important legislation concerning the protection of private information is the Directive on Data Protection of 1995, which regulates the processing and storage of personal data. While the directive's definitions for the processing and storage of personal data are broad enough to effectively cover nearly every conceivable use of personal information, there are limited exceptions for areas such as national defense or law enforcement. For instance, the directive defines the processing of personal data as any operation that is performed on the data, whether this processing is automated or not.

According to the directive, data may not be processed unless:

  • The data subject has unambiguously given his or her consent.
  • Processing is necessary for the performance of a contract to which the data subject is party to or to take steps at the request of the data subject prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which the controller is subject to.
  • Processing is necessary to protect the vital interests of the data subject.
  • Processing is necessary for the performance of a task carried out in the public's interest, in the exercise of official authority vested in the controller, or in a third party to whom the data is disclosed.
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party to whom the data are disclosed, except where such interests are overridden by the data subject's fundamental rights and freedoms.

The directive also applies to data processors, which are companies or data centers that operate in EU member countries. Interpretation of the rules is left to individual EU member states, which are empowered and directed to implement laws regulating data processing that are compatible with overall EU directives. For additional information about the Directive on Data Protection, visit the EU's law Web site.

OECD Guidelines

List of OECD Member Nations

OECD member nations include:

Australia

Hungary

Norway

Austria

Iceland

Poland

Belgium

Ireland

Portugal

Canada

Italy

Slovak Republic

Czech Republic

Japan

Spain

Denmark

Korea

Sweden

Finland

Luxembourg

Switzerland

France

Mexico

Turkey

Germany

The Netherlands

United Kingdom

Greece

New Zealand

United States


Note:
Some of these countries are also members of the European Union (EU). In this case, these countries need to meet OECD and EU member requirements. In addition, if one is more stringent than the other in a particular area, the country would have to comply with the more stringent of the two. 

After recognizing the need to protect privacy rights, while allowing the free flow of information between its member states, the OECD adopted its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data on 1980. These guidelines provide a common set of standards that allow the exchange of personal information in the public or private sectors between OECD member countries.

The OECD guidelines, like other privacy standards, define a number of critical terms. These are:

  • Data controller — a party who according to domestic law is competent to make decisions on the contents and use of personal data regardless of whether or not such data are collected, stored, processed, or disseminated by that party or by an agent on its behalf.
  • Personal data — any information relating to an identified or identifiable individual (i.e., data subject).
  • Transborder flows of personal data — movements of personal data across national borders.

The guidelines then establish a set of eight principles that member states must follow:

  1. Collection Limitation Principle (i.e., member states need to limit their collection of personal data, which should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject).
  2. Data Quality Principle (i.e., personal data should be relevant to the purposes for which it is to be used and needs to be accurate, complete, and up-to-date).
  3. Purpose Specification Principle (i.e., the purposes for which personal data is collected should be specified at the time of data collection. Any subsequent uses should be limited to the fulfillment of those purposes and need to be specified whenever a change of purpose occurs).
  4. Use Limitation Principle (i.e., personal data should not be disclosed, made available, or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle, except with the consent of the data subject or by the authority of law).
  5. Security Safeguards Principle (i.e., personal data should be protected by reasonable security safeguards against risks such as loss or unauthorized access to data, as well as destruction, use, modification, or disclosure of personal information).
  6. Openness Principle (i.e., member states need to have a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available to determine the existence and nature of personal data and the main purposes for the information's use, as well as the identity and usual residence of the data controller).
  7. Individual Participation Principle (i.e., an individual has the right to obtain confirmation on whether a data controller has information relating to him or her. In addition, individuals have the right to obtain this information within a reasonable time and manner, at a reasonable charge, and in a form that is readily intelligible, as well as have personal information erased, rectified, completed, or amended).
  8. Accountability Principle (i.e., a data controller should be accountable for complying with measures that affect the principles stated above).

The PCI DSS

This standard addresses information security requirements for organizations that process credit card data. More specifically, the standard requires all merchants and service providers around the world who store, process, or transmit customer credit card data to adopt aggressive security controls that ensure the integrity of customer information. To obtain the compliance certificate, the standard requires organizations to complete a series of 12 steps to be certified annually and checked quarterly. These steps are organized in six categories:

  • Building and maintaining a secure network (i.e., step 1: installing and maintaining a firewall to protect data, and step 2: not using vendor defaults for system passwords and other security parameters).
  • Protecting cardholder data (i.e., step 3: protecting stored data by developing a data retention and disposal policy, among other activities, and step 4: encrypting transmission of cardholder data and sensitive information across public networks).
  • Maintaining a vulnerability management program (i.e., step 5: using and regularly updating antivirus software, and step 6: developing and maintaining secure systems and applications).
  • Implementing strong access control measures (i.e., step 7: restricting access to data on a need-to-know basis, step 8: assigning a unique identification number to each person with computer access, and step 9: restricting physical access to cardholder data).
  • Regularly monitoring and testing networks (i.e., step 10: tracking and monitoring access to network resources and cardholder data, and step 11: testing security systems and processes regularly).
  • Maintaining an information security policy (i.e., step 12: maintaining a policy that addresses information security).

While the compliance requirements for all processors are the same, the audit and verification requirements vary depending on factors such as the number of transactions or accounts processed annually. For example, merchants that process more than 6 million transactions per year, have suffered a security breach that resulted in account data exposure, or are specifically designated by a card issuer (e.g., VISA or MasterCard) must undergo an annual PCI DSS compliance audit and undergo quarterly network vulnerability scans. In addition, credit card service providers, payment gateways, or credit card processors that handle more that 1 million transactions or accounts annually must also undergo an annual PCI DSS compliance audit and undergo quarterly network vulnerability scans.

Although the PCI DSS is a not a law, its effect is much the same. Violations of PCI DSS security requirements can lead major credit card companies to stop doing business with a processor or merchant. This is what happened to CardSystems Solutions after a security breach exposed data on 40 million accounts.(For more information about the standard, read "Is Your Organization Ready for a PCI Standard Audit?" published in the June 10, 2006 issue of ITAudit.)

GETTING TO KNOW THE LAW

In today’s political and economic environment, individuals, states, and nations are increasingly intolerant of improper use or disclosure of private information, whatever the cause. As a result, many privacy protections continue to be enacted as law all over the world reflecting a global desire for personal privacy and a reaction to abuses of privacy, such as identity theft. However, while these regulations aim to protect personal information, their increase in numbers is making compliance efforts quite expensive and complex.

Although the language used varies significantly from country to country, the same basic themes and issues show up time after time in current law, industry standards, and proposed legislation. For instance, organizations are expected to respect individuals' privacy by collecting, using, and disclosing personal data only for legitimate purposes. Organizations are also expected to be open about their practices and to allow individuals to review the data that is collected about them. Last, but not least, organizations are expected to implement effective security safeguards to prevent the improper disclosure of personal information.

As part of their work, internal auditors should familiarize themselves with applicable privacy laws and regulations and recommend that organizations examine regulations that are specific to their industry. Armed with this knowledge, auditors can provide recommendations that can help organizations design and implement compliance programs that meet different regulatory requirements and point out common requirement areas to maximize and simplify compliance efforts.

David Campbell is the director of information security and business continuity planning for AccessData. Campbell has more than 20 years' experience in various aspects of software engineering, application and systems security, and database architecture. Prior to joining AccessData, he served as director of security applications architecture at Red Siren Technologies, where he was responsible for the architecture and design of systems supporting the organization's managed security service provider products.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

 

Essential Aspects of an Effective Network Performance Audit

Ongoing assessments of an organization's Internet use, cable performance, e-mail server, and network management activities, can help auditors identify network problem areas before they become too costly to fix.

Nikhil Wagholikar
Information Security Analyst, NII Consulting

Regardless of recent improvements in network performance and capacity, it is essential for network administrators to periodically assess the reliability of network technology and its ability to meet business needs. Consequently, network performance assessments can help organizations determine whether the programs, hosts, and applications that are installed on the corporate network function properly. More specifically, these performance audits need to examine the network's bandwidth use, as discussed in the Nov. 10 issue of ITAudit , as well as the company's Internet use, cable performance, and e-mail server activities. To this end, auditors should assess companywide network management activities, including its network's capacity use, change management processes, incident response activities, and log monitoring functions. Following is a discussion of each of these components.

INTERNET USE

Besides network bandwidth use, violation of Internet use policies can cause network performance problems. Unauthorized network activities typically performed during work hours include:

  1. Accessing pornographic Web sites, as well as file, photo, and video sharing sites.
  2. Performing online trading.
  3. Accessing personal e-mails and forwarding e-mails with large attachments, such as videos, PowerPoint presentations, and pictures.
  4. Downloading unlicensed software that might contain malware (e.g., spyware and adware applications, and viruses, Trojans, or worms), which may cause a denial-of-service (DoS) attack.

To determine whether employees are adhering to established Internet use policies, internal auditors and network administrators can sniff (i.e., monitor and analyze) data packet traffic flowing between the organization's gateway and the Internet service provider (ISP). This can be achieved by using a switched port analyzer (SPAN) or placing a hub (i.e., a common connection point for devices in a network) between the ISP and the organization's router or firewall (refer to figure 1 for an example of a hub).

typical corporate hub
                                                    Figure 1. Example of a typical corporate hub diagram

 

When sniffing traffic, it is important to keep in mind that data packet sniffing can lead to a self DoS due to the large amount of data that is generated and captured during traffic monitoring especially during peak work hours. As a result, auditors should use a filtering configuration, such as capturing data up to 300 megabytes (MBs) or capturing only HTTP, HTTPS, file transfer protocol (FTP), or port-specific traffic. A second solution is to perform a sample sniffing activity (e.g., periodically monitoring network data for a group of clients or users) and generalizing the results of this activity to the entire organization. Finally, the auditor can recommend that the organization obtains an Internet use statistics report from the ISP, if possible.

Additionally, Internet use analyses can detect malware infections in the local area network (LAN) that are the result of inappropriate Internet use or determine if applications residing in the network are using the Internet redundantly. For instance, when a worm is present in the LAN, the worm usually tries to contact a particular Internet protocol (IP) or URL to further damage the network. On the other hand, redundant Internet use occurs when all computers residing in the network individually check for and download updates or patches, which can be avoided by using a centralized patching server.

Top Internet Activities to Monitor

Typical Internet activities internal auditors need to monitor during a network use analysis include:

  • The top visited Web sites.
  • The number of bytes exchanged between the Internet and the user or client machine, also known as the input/output (I/O) byte exchange.
  • The number of bytes used per hour or per day.
  • The number of Web sites and requests that users or client machines were denied access to.

For instance, a network performance audit was conducted and it found that the I/O byte exchange is between 90 percent to 95 percent of the network's overall bandwidth use, even during non-peak work hours. Assuming that this traffic is genuinely used for business purposes and not for any personal use, this would be a clear indication that the organization needs to upgrade its current Internet bandwidth.

Finally, Internet use analyses can be used to determine whether the organization needs to upgrade its current Internet bandwidth and speed. To this end, auditors can monitor Internet activity through the use of proxy servers (i.e., servers that reside between a client application, such as a Web browser, and a real server to intercept client requests and forward them to the other server). Proxy servers in use today include open source types, such as SQUID, Privoxy, or Sun Java Web Proxy server, as well as commercially available ones such as Microsoft's Internet Security and Acceleration Server.  

CABLE PERFORMANCE

Another performance problem leading to network congestion is cable-pair connectivity. In essence, the network may experience a signal loss during a data transfer session if any of the two copper wire pairs (i.e., the four wires required for LAN connections with a transfer speed of no less than 100 MBs per second) is not properly connected end-to-end. Because any signal loss during a data transfer session could result in low network performance, auditors need to determine if the cables are connected properly. To do this, auditors need to use a pair of hardware cable testers, which need to be connected at the two ends of the physical network cable. When conducting the test, all lights must blink on the cable tester. If this happens, then the network cable has perfect point-to-point connectivity.

Auditors need to note that the organization may choose not to use all four cables for network connectivity, such as in the case of a category five (CAT5) cable. In this case, only the lights correlating to the cables that the organization is using should blink on the hardware cable tester. If even one light is not blinking according to the organization’s cable deployment policy, then there is no perfect peer-to-peer connectivity within the LAN. Consequently, audit reports should clearly specify which cables had insufficient network connectivity.

E-MAIL SERVER REVIEW

Many companies implement a private or local mail server for internal and external e-mail use. For instance, the organization may have a single mailbox for all employees that is hosted by an e-mail service provider. The organization will then install a local mail server at their end to retrieve information from this single mailbox, which is then segregated locally based on employee e-mail IDs. Therefore, if an employee wishes to send an e-mail to a co-worker, the e-mail is sent through this local mail server directly to the recipient. Otherwise, the local mail server will forward the e-mail to its parent mail server for further delivery to the intended external recipient.

Key points to look for when reviewing e-mail server performance include:

  • The presence of large numbers of rejected e-mails, especially to a particular user.
  • Any malicious requests by or to any user in the organization.
  • The possibility of an open-relay mail server.
  • The presence of large numbers of attachments, especially spam (i.e., unsolicited e-mail) attachments.
  • The ratio of spam e-mail to genuine e-mail.

These key points need to be analyzed and verified manually by the auditor along with the network or system administrator. Also, a cross-verification should be performed by analyzing e-mail server logs. For example, if spam e-mail is congesting the majority of the network's bandwidth, the organization should upgrade its existing spam-filtering solution.

NETWORK ACTIVITY ASSESSMENTS

The auditor also needs to analyze the effectiveness of the processes or activities that are used to manage the network. These activities include the network's capacity use, change management processes, incident response activities, and log monitoring functions.

Capacity Use

The network capacity planning process compares the organization's current and future network capacity in terms of their use and efficiency. Any discrepancy between any user requirements and the organization's capacity can lead to inefficient network use. Therefore, the aim of network capacity planning is to resolve this discrepancy.

To plan for current and future use, internal auditors can recommend that network administrators monitor network use logs. For example, if the network administrator notices that the company currently uses 70 percent of its network bandwidth, he or she can request the purchase of more network resources (e.g., switches, cables, PCs, etc.) to management.

Change Management

Change management is a logical approach that defines the policies, procedures, and controls that need to be used for specific business functions or activities. In terms of network performance, the organization's change management policy needs to document, for instance:

  • How Active Directory changes will be handled.
  • Different firewall rules, such as opening a port.
  • Changes in logging systems.
  • How to change user access rights to network resources or data.
  • The addition and removal of new computers.
  • The proper way to configure network access for individual users.

A systematic documentation of all network changes can help administrators to easily manage the network, as well as help management and internal auditors to quickly understand networkwide changes. Change management policies and actions also can enable auditors and administrators to evaluate network problems at a quick glance and determine the causes for network performance issues or, worse, a security breach after a particular change or upgrade is made.

Before a change or upgrade is made to a network component, auditors need to recommend that network or system administrators discuss the activity with a senior executive, such as the chief technology, information, or security officer, to evaluate the impact the change or upgrade can have on various network aspects (e.g., application compatibility, security, and network performance issues). Finally, auditors need to ensure that the change management policy or document is authorized and signed by the senior manager (refer to figure 2 for a sample change management form).



XYZ Company Ltd.
Company Address
Branch Name

  Policy number: (Policy number for this change.)

  Change requested by: (Name of the user or organization.)

  Reasons for requesting the change: (Specify the reason for the change.)

  Impact of the change:  (Evaluate the impact of the change on the network.)

  Authorization of the change:  (Name and signature of senior executive, e.g., CTO or CISO)

  Was the change tested in a test environment? (Answer yes or no.)

  Reference previous change:  (Reference policy number.)

 
Figure 2. Sample change management form
 
Incident Response
 

If a process or service exists, problems will always be associated with the same. This same principle applies to computer networks too. Therefore, companies need to have a standard procedure to handle network problems and provide a quick and efficient solution to those problems. Key items internal auditors need to review when assessing an organization's network incident response plan or document include:

  • The level of vendor support (i.e., how will the vendor provide support for problems reported by the organization — will this support be provided over the phone or in person? In addition, is the vendor support team or contact person located in a nearby location or foreign country?).
  • An inventory of all network programs and applications.
  • Service-level agreements between the organization and the vendor for specific network programs and applications identified in the inventory list.
  • Change management policies and procedures.
  • A list of incident response team members and their qualifications.
  • The organization's approach toward solving any network incidents and the steps that will be taken for mitigating the same as specified in the business continuity or disaster recovery plan, in addition to determining how the plan will be maintained.  
  • Configuration backups for all network programs and applications (e.g., are these devices tested in a test environment prior to restoration, are backups encrypted, and where are the backups stored)?   

Log Monitoring

Proactive action is always a better step than reacting to an IT problem. When it comes to network performance, proactive steps apply to monitoring network activities and identifying problems that might affect the organization in the future. One of the best ways to monitor network activities is through data logging. Logs generated can be either from a firewall, managed switch, operating system log, or an application log. For instance, an organization is growing rapidly in terms of its revenue and number of employees within a short period of time. To keep up with this growth, network administrators need to identify the effectiveness of currently used network switches, cables, computer systems, and accessories in keeping up with network performance. Network administrators may also need to update or increase the availability of these and other network components within the next three months so that the company's continuity of flow is not disrupted.

A GOOD MEASURE OF NETWORK OPERATIONS

The use of ongoing performance audits can help IT departments better measure the network's effectiveness and efficiency. To this end, internal auditors need to examine key network functions and components, such as the company's network bandwidth use, the current level of Internet use, the performance of network cables, and e-mail server activities. These network performance audits need to be an ongoing part of the organization's proactive measures to identify any IT system break downs before they hinder the organization's day-to-day activities. Besides collecting and reviewing this information, auditors can examine the network's server memory use and central processing unit (CPU) capacity, which may also hinder network performance.

Nikhil Wagholikar, CEH, is an information security analyst with Network Intelligence India (NII) Pvt. Ltd., an IT security consulting firm located in Mumbai, India, that offers ethical hacking, computer forensics, security auditing, ISO-27001 compliance, and business continuity management services. As part of NII's team, Nikhil has worked on multiple security projects and audits dealing with all aspects of IT, and conducts penetration tests and vulnerability assessments for clients. Nikhil holds the certified ethical hacker designation.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

 

Book Provides Essential Information on Computer Forensics

 computer forensics book

Computer Forensics: An Essential Guide for Accountants, Lawyers, and Managers                                                                                 
By Michael Sheetz
Copyright: February 2007
ISBN: 978-0-471-78932-1
Hardcover, 176 pages
John Wiley & Sons Inc. Publishing

 

 

 

 

 

 

 

 

While computers and the Internet have made organizations and individuals more efficient, they have also made the entities more vulnerable to fraud, identity theft, and unwanted and unauthorized intrusions. Because of these new risks, organizations and individuals need to understand evidentiary, technical, and legal issues related to digital evidence. Computer Forensics: An Essential Guide for Accountants, Lawyers, and Managers by law professor Michael Sheetz provides an introduction to computer forensics in a non-technical manner.

The author, who has 20 years' experience in civilian and military law enforcement in the areas of white collar crime and high-tech investigation, begins with a history and definition of computer forensics in chapter one. According to Sheetz, computer forensics is the study of computers in a manner that is consistent with the rules of evidence and court rules of procedure. The chapter concludes with a history of computer evolution and a description of the hacker community.

In chapter two, the author provides a high-level description of computer processing (i.e., input, storage, processing, and output). A key point mentioned in this chapter is that many electronic devices today, such as cellular phones, MP3 players, iPods, fax machines, printers, USB storage sticks or thumb drives, and digital cameras, are computers with processing units and storage that may hold evidentiary materials.

After describing computer processing, Sheetz discusses the first two steps of the computer forensics process (i.e., reservation and collection of digital evidence) in chapter three. This chapter also discusses the legal concept of admissibility of evidence — a critical step in the computer forensic process — which states that if evidence is not properly preserved, it will not be admitted in court. Hence, the evidence to be presented must be the most reliable and readily available. Although the original source is preferred, steps should be taken to prove that all the evidence seized is not changed from the evidence presented in court. In addition, the author discusses the impact of power-on, boot-up; power-down, shut-down; and routine operating system function on digital evidence preservation.

Next, Sheetz discusses the aspect of analysis and recreation of digital evidence in chapter four. To this end, the author suggests some computer software tools to aid in the analysis process. Investigators typically use these tools on digital images or copies of the original storage devices, thereby preserving the original evidence.

Chapter five goes into more detail by providing information on the final steps of the computer forensics process (i.e., reporting and rendering the opinion). As Sheetz discusses, report writing is made easier if good documentation of the site is made at first contact by capturing details such as photos of the equipment and set up; making diagrams of component connections and cables; and placing tags on each wire, cable, or connector. Furthermore, the report should contain the following sections: an executive summary or abstract, a table of contents, a body or findings section, a conclusion, supporting documents, and appendices. Finally, the chapter discusses the different steps in the trial process (i.e., dispute or offense, complaint-pleading or indictment, service of process, plead or answer the complaint, pretrial motions filings, depositions and interrogatories, demands for production, and the trial).

These five chapters present the basic information on computer forensics. The next two chapters talk about how computers can be used to cause harm. More specifically, chapter six describes some of the threats to computer systems — from the outside and the inside of the organization — which can range from unauthorized use and theft of proprietary data (i.e., customer data, employee data, or intellectual property) to denial-of-access attacks and intentional destruction of equipment. This discussion is continued in chapter seven, which also talks about how computers can be used to cause harm. For instance, computers can be used to prepare a ransom note in an extortion crime or to create fake cash or cash equivalents. Computers also may contain evidence of other crimes, such as financial records of illegal activities, including the selling of drugs or bookmaking.

Chapter eight then describes how computers can be used for computer forensic examinations. The first essential step is to be sure you have proper authority to conduct the search. The author also introduces computer forensic tools and points out particular areas to examine for evidence, such as file storage areas, which may be overlooked during an investigation.

Finally, the book concludes with some of the concerns relating to the presentation of digital evidence in court. As Sheetz points out, while the computer forensic examiner may be highly technically trained and skilled, he or she must remember that the evidence is presented to a jury of peers who may not understand how a computer works. Sheetz also discusses the legal concept of evidence, by describing the various types of evidence and the legal requirements for each category, and provides information on some of the legal complications related to computer systems and some of the laws that attempt to address these issues.

Each chapter ends with a suggested reading list.

Computer Forensics: An Essential Guide for Accountants, Lawyers, and Managers provides a good introduction to the area of computer forensics. If you are not aware of the risks associated with the use of computers, then I would highly recommend you start with this book to get a good overview of the subject.

The editor would like to thank Michael S. Hines, OS/390 systems programmer with Purdue University's IT department, for reviewing this book.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

 

U.S. Government Pushes for IT Security Skills Baseline

The U.S. Department of Homeland Security (DHS) recently published a draft of the IT Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development (PDF, 423 KB). Written by DHS' National Cyber Security Division (NCSD), the document is a compilation of the skills and core IT security competencies needed to fight off cyberattacks against the United States.

"The convergence of voice and data communications systems, the reliance of organizations on those systems, and the ongoing threat of sophisticated adversaries and criminals seeking to compromise those systems, underscores the need for well-trained, well-equipped IT security specialists," says Greg Garcia, DHS' assistant secretary for cybersecurity and communications, while speaking at a workshop at Dartmouth College. "These specialists need to be good, innovative chess players, because this really is something of a technological chess match, only check mate is not an option for us."

The NCSD began development of the IT Security EBK in 2003, as the sophistication of hackers, terrorists, and nation states began increasing. It worked with the U.S. Department of Defense, public and private sectors, and members of academia to study how IT security skills could be advanced on a national level to face these growing threats. By studying existing workforce certifications and other domain-based IT security models, the taskforce came up with 14 key competencies that encompass all public and private security roles and functions.

The resulting draft is an umbrella document that links functional perspectives and competencies to IT security roles to provide a national baseline of skills that IT security practitioners must have to carry out their specific roles and responsibilities. However, the EBK is not a set of guidelines and is not meant to represent a standard, directive, or policy, according to the document overview. Instead, the EBK:

  • Clarifies key IT security terms and concepts.
  • Identifies notional security roles.
  • Defines four primary functional perspectives.
  • Establishes an IT security role, competency, and functional matrix.

Some of the benefits of the IT Security EBK include promoting uniform guidelines to increase efficiency of IT security education, training, and professional development; and providing content guidelines for future skills training and certification. Through this unified approach, the EBK integrated the best practices of a wide variety of IT security stakeholders.

A full copy of the draft can be downloaded from the U.S. Computer Emergency Readiness Team Web site.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

 

Report Discusses How to Achieve the Best Value From Data Analysis

Data analysis has benefited internal auditors worldwide for the past 20 years. A new white paper from solutions provider ACL Services Ltd., Best Practices for the Use of Data Analysis in Audit, discusses the state of data analysis in the internal audit profession — referred to as audit analytics — and provides information that can help internal auditors achieve the highest value from data analysis.

According to author John Verver, CISA, vice president of product strategy for ACL, three key issues need to be addressed for auditors to obtain the best value from audit analytics:

  • Data access and management.
  • Quality and control of audit analytics processes.
  • Collaboration, efficiency, and sustainability.

"To put it simply, distributing standalone software and arranging for training cannot achieve the maximum benefits," explains Verver. "Best practices are delivered through a managed central server environment that provides optimized and secure data access, plus effective collaboration, knowledge, sharing, sustainability, and efficiency. In each case, the most effective solutions begin with a central server environment that ensures security, accessibility, quality controls, and the long-term sustainability of audit analytics practices."

In terms of data access and management, auditors need to understand existing organizational practices and have access to large volumes of data. To this end, creating and maintaining an audit data repository that consists of sub-sets of companywide data and only represents information needed for the audit is the most common and effective solution. This repository, says Verver, should run in a secure server environment that adheres to data security and management policies and procedures.

"Maintaining the audit repository on a secure server environment is a critical way to ensure data integrity and proper management, and to quickly process large data volumes for both interactive inquires and automated tests," Verver emphasizes. "Server data security is typically far more effective than controls implemented on individual laptops or PCs, which is why server environments are strongly recommended with audit analytics."

To achieve the desired level of quality and control in the audit analytics process, internal auditors need to address challenges pertaining to the reliance on and management and control of data analysis. "Although many audit organizations encourage the use of audit analytics, it is not uncommon for specialists and generalists to be given a relatively free hand in the procedures they perform. This opens up opportunities for a flawed approach, which leads to incorrect conclusions," says Verver. For instance, if the business process being audited is not fully understood, the data fields used for analysis may be invalid for a given audit objective or the data manipulation may be wrong.

To address these challenges, auditors need to develop and manage a central library of standard procedures and tests. This central library can include information on the types of tests that must be performed for all audit analytics and the type of analysis required to achieve a given audit objective. In addition, auditors need to achieve control over the integrity of the audit analytics process and ensure that the analysis is accurate and supports a specific audit objective.

Finally, Verver recommends that audit analytics processes be collaborative, efficient, and sustainable. "In order to achieve more widespread use, knowledge sharing and effective collaboration are critical," he says. "If knowledge is isolated between auditors and information that is difficult to share and lever, the overall benefit can be considerably reduced." For collaboration, efficiency, and sustainability to take place, audit analytics needs to be made a fundamental component of the organization's audit strategy. Furthermore, a centralized system approach that focuses on collaboration, knowledge sharing, and efficient, repeatable processes needs to be established. Areas in which knowledge and information can be shared include projects, data definitions and dictionaries, standard test libraries, and results.

"The decision to implement an efficient and effective audit analytics solution should be a strategic one and not a tactical approach," Verver comments. "This strategic approach requires audit management to engage others in the organization to explain desired outcomes; change existing procedures and protocols; and plan the transition to a more centralized, managed, and secure approach to audit analysis."

To read the full white paper, visit the ACL Web site.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

 

Survey Provides Insight Into Future IT Security Trends

More than 65 percent of IT departments have identified wireless local area network (WLAN) security, vulnerability scanning, and Web application firewalls as additional security investments to be made during the next fiscal year, according to the results of a market survey conducted by Astaro Corp., a unified threat management (UTM) security provider. More than 2,800 IT professionals from industries such as manufacturing, health care, education, and financial services participated in the global market-trend survey and provided information on topics ranging from IT security tools and managed services to key IT challenges and planned investments.

According to the results, 100 percent of the IT professionals surveyed said they rely on firewalls as their first line of defense against external attacks. Other tools used include antivirus software (91.5 percent), anti-spam scanners (90 percent), virtual private networks (VPNs) (81 percent), and intrusion protection systems (74 percent). The survey also found that 70 percent of respondents are concerned with preventing unauthorized users from accessing corporate networks or confidential data. A similar number of respondents — 72 percent — said that identifying possible security vulnerability areas will be the biggest challenge for IT departments over the next five years. Other identified challenges include:

  • Preventing breaches in confidential information.
  • Protecting organizations against worms and hacker attacks, as well as wireless data communications.
  • Guarding against threats to mobiles devices and preventing mobile devices with inactive and outdated security from connecting to the company network.
  • Scanning content from instant messages and peer-to-peer applications.
  • Protecting voice over IP communications.

In addition, the survey identifies the security solutions that organizations plan to invest in over the next two years. These solutions include firewalls; virus, spam, and spyware protection software; VPNs; intrusion protection applications; URL content filtering; instant messaging and peer-to-peer control software; and e-mail encryption programs. Finally, 65 percent of respondents identified WLAN security, vulnerability scanners, and Web application firewalls as the top three applications they are interested in investing during the next fiscal year.

"Companies are finding that they can't rely on the basic network security they had in place just a few years ago," says Astaro Chief Executive Officer Jan Hichert. "Network administrators are continuously faced with the task of updating and adding layers of protection in order to keep their networks secure against the latest threats."

To download a full copy of the survey results, visit The IIA's Web site  (PDF, 75 KB).

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

 

IT and Audit News

Secret backdoor could be present in new encryption standard; new update enhances security features on Apple operating systems; tips for managing GRC software; internal auditor discusses use of rules vs. internal policies.

______________________________________

GOVERNMENT GRAPEVINE

Secret Backdoor Could Be Present in New Encryption Standard
A new random-number encryption standard, called Dual_EC_DRBG, might contain a backdoor for the U.S. National Security Agency.
http://www.wired.com/politics/security/commentary/
securitymatters/2007/11/securitymatters_1115

Security Breach Exposes Data on 25 Million Individuals
British Chancellor of the Exchequer Alistair Darling recently stated that the UK's Revenue and Customs office lost two discs containing the personal information of everybody in the country who claims and receives child benefits.
http://www.news.com/U.K.-government-reveals-its-
biggest-privacy-disaster/2100-1029_3-6219772.
html?tag=cd.lede

World Could Face Online War Threat
According to an annual report by security vendor McAfee, approximately 120 countries are developing ways to use the Internet as a weapon to target financial markets. This "cyber cold war" threatens to become one of the biggest threats to security in the next decade.
http://www.news.com/World-faces-cyber-cold-war-threat%
2C-report-says/2100-7349_3-6220619.html?tag=cd.lede

______________________________________

SECURITY UPDATES

New Update Enhances Security Features on Apple Operating Systems
Apple released a security update to current and previous versions of its OS X operating system that improves reliability when using VMware's Fusion and synchronization between iPhone and Yahoo address books.
http://www.informationweek.com/security/
showArticle.jhtml?articleID=203101113

Fixing 10 Security Threats on Virtual Servers
Controlling virtual machines and applying existing processes to virtual machines are two of the 10 ways to address security threats on virtual servers. 
http://www.cio.com/article/154950/

Hackers Use Banner Ads to Hijack PCs
New breed of online ads from reputable Web sites are hijacking personal computers and harassing users until they agree to buy antivirus software.
http://www.wired.com/techbiz/media/
news/2007/11/doubleclick

Antivirus Software Could Enhance Network Vulnerabilities
German security experts discussed how vulnerabilities in antivirus software make these programs a threat to corporate network security.
http://www.securityfocus.com/brief/632

Social Networking Sites Raise Security Threats
Research from a British online organization found that social networking Web sites could increase people's chances of getting their personal information stolen.
http://www.informationweek.com/security/
showArticle.jhtml?articleID=202806063

Microsoft Issues Important Security Updates
The software company issued two security updates. The first update repairs a critical flaw that opened Windows systems to Web-based attacks, while the second update fixes a vulnerability in Windows Domain Name System servers.
http://www.cio.com/article/154450/Microsoft_Issues
_Two_Vital_Windows_Security_Updates

Flaw Affects QuickTime Media Player
A Polish researcher published exploit code for an unknown vulnerability in Apple's QuickTime media player that can be triggered by a call to a real-time streaming server.
http://www.securityfocus.com/brief/633

Google Removes Web Sites Targeting Searchers
The search engine has purged tens of thousands of malicious Web sites after a software company stated that many search results on Google lead to malicious Web pages that can compromise computer systems.
http://informationweek.com/news/showArticle.
jhtml;jsessionid=PUYP5YSKWALGMQSND
LRCKHSCJUNN2JVN?articleID=204300556

______________________________________

SOFTWARE UPDATES

Tips for Managing GRC Software
Experts offer insight to help organizations make the most of their governance, risk, and compliance tools.
http://www.itcinstitute.com/display.aspx?id=4494

Microsoft Expert Unveils Open Source Strategy
The company's open source expert, Bill Hilf, revealed its open source business model.
http://www.informationweek.com/windows/show
Article.jhtml;jsessionid=MTFUDOSQV3UHSQS
NDLRCKHSCJUNN2JVN?articleID=203100965

Windows XP Outperforms Vista
New tests have revealed that Windows XP has twice the performance of Vista.
http://www.news.com/Windows-XP-outshines-
Vista-in-benchmarking-test/2100-1016_3-
6220201.html?tag=nefd.pop

Mac Hacking Attempt Is Public Relations Stunt
Alleged AppleMatters.com and iPhoneMatters.com hacks were nothing but hoaxes, while Apple-specific hacking attempts are on the rise.
http://www.informationweek.com/software/
showArticle.jhtml?articleID=204300601

______________________________________

OTHER IT AND AUDIT NEWS

Internal Auditor Discusses Use of Rules vs. Internal Policies
Auditor discusses the use of internal policies, standards, frameworks, and controls for compliance with the U.S. Sarbanes-Oxley Act of 2002.
http://www.itcinstitute.com/display.aspx
?id=4444

Tips to Spot Pirated Software
Because the number of people who innocently purchase or receive pirated software increases during the end of the year, the Software and Information Industry Association is providing tips on how to spot illegal software.
http://www.informationweek.com/security/show
Article.jhtml?articleID=203101025

Copyright Enforcement Organization Battles Piracy Front
The Business Software Alliance is targeting small organizations to detect unlicensed software use and piracy by business users.
http://www.ecommercetimes.com/story/BSA-Battles
-Piracy-One-SMB-at-a-Time-60457.html

Foreseeing IT Security Expenses
Coming up with a reasonable estimate of future IT security activities that is based on historical trends can help organizations better estimate how much money they will need in the upcoming year. 
http://www.ecommercetimes.com/story/Thinking
-Through-Your-2008-Security-Budget-60445.html

News Web Sites to Enhance Search Results
Google, Yahoo!, and other search engines are working to revise a 13-year-old technology to achieve greater control over how search engines index and display Web sites.
http://www.businessweek.com/ap/financialnews
/D8T7E6RO1.htm

Group Releases Ranking of Technology Impact in the Environment
Greenpeace's latest quarterly ranking of electronic vendors, Guide to Greener Electronics, spotlights the difficulty in measuring the environmental impact of technology products.
http://www.businessweek.com/technology/content/
nov2007/tc20071127_012063.htm?chan=technolog
y_technology+index+page_computers

10 Practices for Better Role-based Access Management
Fostering role-creation collaboration is one of the ways to enhance an organization's identity and access management strategy.
http://www.itcinstitute.com/display.aspx?id=4533

Poor Performance Is Prevalent on Mobile Web Sites
New report discusses how companies such as Google, Facebook, and MapQuest are struggling to perfect their mobile Web sites.  
http://www.informationweek.com/news/showArticle
.jhtml;jsessionid=PUYP5YSKWALGMQSNDLRC
KHSCJUNN2JVN?articleID=204301181

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

 

Tech Practices Update

Here is the latest technology news from The Institute of Internal Auditors (The IIA):

 GTAG9

The Institute Releases New Guide on Identity and Access Management

Properly identifying who has access to what information over a period of time is an important aspect of an organization's day-to-day work. Known as identity and access management (IAM), this process touches every part of the organization — from accessing a facility's front door to retrieving corporate financial data. To help chief audit executives (CAEs) and internal auditors understand an organization's IAM activities, The IIA recently released Identity and Access Management as part of its Global Technology Audit Guide (GTAG) series. Written in straightforward business language, each GTAG serves as a ready resource for CAEs and internal auditors on different technology-associated risks related to IT management, control, and security.

"Because identity access and management affects every business unit, internal auditors should understand ways that organizations can control access more effectively," says Sajay Rai, CISSP, CISM, partner in Ernst & Young LLP's Risk Advisory Services Practice and leader of the team who wrote the guide. "The purpose of this GTAG is to provide insight into what identity and access management means to an organization and to suggest internal audit areas for investigation."

As the guide explains, IAM processes are used to initiate, capture, record, and manage the user identities and related access permissions to a company's proprietary information. Therefore, as part of their work, auditors need to play an important role in helping organizations develop effective IAM processes and monitor their implementation. For instance, prior to conducting an IAM audit, auditors need to understand the organization's existing IAM structure, such as the company's business architecture and IAM policies, as well as the laws, regulations, and mandates for which compliance is necessary. When conducting the audit, internal auditors need to document the organization's identity and entitlement process and evaluate existing IAM activity controls.

Besides describing how to go about auditing IAM activities, the guide provides an IAM review checklist auditors can use during the audit. The guide also defines key IAM concepts and activities, such as:

  • Main business drivers for identity and access management (i.e., improved regulatory compliance, operating efficiencies, transparency, and user satisfaction; reduced information security risk and IT operating and development costs; and increased effectiveness of key business initiatives).
  • Different areas IAM strategies should address (i.e., who has access to what information, the appropriateness of the access level based on the job being performed, and whether access activities are being monitored, logged, and reported appropriately).
  • Risks that need to be examined and understood as the organization implements new or modified IAM processes (i.e., organization complacency, participation, planning, communication, incorporation of all IT systems into the process, making the process too weak, process complexity, and lack of enforcement).
  • Different IAM components (i.e., identity types, onboarding, and offboarding), as well as the access rights, entitlement, and provisioning processes.
  • How to administer identities, the access rights process, and enforce IAM activities.
  • The proper use of technology in IAM.

"As an organization changes, so too should its use of identity and access management activities," Rai comments. "Therefore, as changes take place, management should be cautious that the process does not become too unwieldy and unmanageable or expose the organization to undue risk due to improper use of IT assets. As part of their work, internal auditors need to ask business and IT management what identity and access management processes are currently in place and how they are being administered."

To read or download Identity and Access Management, visit The IIA's GTAG page.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.

 

 

ITAudit Special Offer Ad 12-07

As many of you know, starting on Jan. 10, 2008, ITAudit will be available only to members of The Institute of Internal Auditors (The IIA). Because your commitment to ITAudit is extremely important to us, we have extended our special membership offer to ITAudit subscribers until Dec. 31, 2007. If you join The IIA between now and Dec. 31, you will get half off our regular membership price of US $130, giving you access to The Institute's member benefits for just US $65. To download our application form, click here (PDF, 295 KB). For more information about this special offer, visit The IIA's Web site.

_________________________________________________________________________

In This Issue

This month's feature articles include:

To Vista or Not to Vista?
Joe Dysart
Freelance Writer
Switching to Windows Vista is a decision that needs to be made carefully. Looking at the risks associated with Microsoft's latest operating system can help organizations make a decision that fits their strategic IT goals.


Keeping It Simple — An Overview of Data Privacy Compliance Requirements  
David Campbell
Director of Information Security and Business Continuity Planning, AccessData
Auditors can keep organizations from becoming the next big scandal by pointing out common compliance requirements for different data privacy laws and regulations.

Essential Aspects of an Effective Network Performance Audit
Nikhil Wagholikar
Information Security Analyst, NII Consulting
Ongoing assessments of an organization's Internet use, cable performance, e-mail server, and network management activities, can help auditors identify network problem areas before they become too costly to fix.

Also, check out our regular departments for the latest IT and audit information:

New Developments
Book provides essential information on computer forensics; U.S. government pushes for IT security skills baseline; report discusses how to achieve the best value from data analysis; survey provides insight into future IT security trends.

IT and Audit News
Secret backdoor could be present in new encryption standard; new update enhances security features on Apple operating systems; tips for managing GRC software; internal auditor discusses use of rules vs. internal policies.

Tech Practices Update
The Institute releases new guide on identity and access management.

All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.